Thanksgiving Eve Wave Of IPs From Fort Lauderdale And British Virgin Islands Descends On PP Blog; Other IP (From Ukraine) Tries To Execute Command String That Suggests It’s Part Of Botnet Circling PP Blog And Another Well-Known Online Pub That Covers MLM

A Thanksgiving Eve wave consisting largely of IPs from Fort Lauderdale and the British Virgin Islands descended on the PP Blog beginning at approximately 12:35 p.m. ET today. It was accompanied by an IP from Ukraine that sought to execute a fractured command string focused on a PP Blog story that will be five years old in May.

Words and symbols contained within the command string strongly suggest that the Ukraine IP is a bot programmed to train its sights on the PP Blog and another well-known Blog that covers the MLM trade. For security reasons, the PP Blog, which notified the other Blog about the command string, is declining to name the publication. The Ukranian IP has made at least 103 trips to the PP Blog.

The wave from Fort Lauderdale and the BVI was sudden and inexplicable. IPs from other countries and cities were present during the wave. It was not immediately clear whether the Fort Lauderdale/BVI wave had a nefarious purpose. IPs from those areas focused on the PP Blog’s “tag” archives. Some of the IPs were making their first trip to the PP Blog. Others had registered between two and 14 trips.

Another IP present (bearing a signature from Kansas City) during the wave tried to execute the same command string used by the Ukranian IP — at the same time. The Kansas City IP also sought to execute a bogus command string that in part incorporated the URL of this March 5, 2012, PP Blog story: UPDATE: Antihistorical ‘MoneyMakingBrain’ Claim: ‘Law Enforcement Agencies Don’t Pay Attention To What’s Being Said On Forums And Blogs’

Of concern: Are systematic attacks on websites that cover HYIP fraud schemes under way? Could these attacks be designed to drain the system resources of antiscam sites? Are botnet commanders studying HYIP-related content to channel spam for HYIPs and other illegal or highly dubious “opportunities.” Could botnet commanders be acting as “protectors” of HYIP schemes?

fortlauderdalebviwave112713small

Part of a wave of traffic at the PP Blog today.

The PP Blog recently has published stories that touch on fraud linked to entities that have claimed a business presence in the BVI. The Fort Lauderdale/Boca Raton region in Florida has been a longtime venue in which securities fraud and other economic crimes occur.

NOTE: While the PP Blog was preparing the post above for publication, an IP from Jacksonville, Fla., arrived on the Blog and sought to execute the same command string used by the Ukraine and Kansas City IPs. This occurred at 3:01 p.m. ET. The Jacksonville IP has recorded 14 trips to the PP Blog.

About the Author

4 Responses to “Thanksgiving Eve Wave Of IPs From Fort Lauderdale And British Virgin Islands Descends On PP Blog; Other IP (From Ukraine) Tries To Execute Command String That Suggests It’s Part Of Botnet Circling PP Blog And Another Well-Known Online Pub That Covers MLM”

  1. Quick note: Now a wave from Germany, with some from China mixed in. And a Fort Lauderdale IP has made a return visit.

    Patrick

  2. Quoted from story above: Words and symbols contained within the command string strongly suggest that the Ukraine IP is a bot programmed to train its sights on the PP Blog and another well-known Blog that covers the MLM trade. For security reasons, the PP Blog, which notified the other Blog about the command string, is declining to name the publication. The Ukranian IP has made at least 103 trips to the PP Blog.

    Quick note: I’ve heard back from the other Blog operator noted in the story above.

    I am advised that command strings that include a specific URL from a THIRD Blog that covers MLM-related topics have appeared on the other Blog. So, the bots are circling at least THREE MLM-related Blogs, stripping URLS, placing them in command strings and trying to execute database commands.

    The other Blog operator also is reporting a horrendous volume of a specific type of spam.

    Patrick

  3. This morning, it’s what I’ll describe as a “mixed wave” with IPs from China, Maryland, Florida, the Netherlands and possibly Canada. I haven’t determined yet whether the Canadian IP is friendly or unfriendly. The others clearly are unfriendly.

    I’m currently looking at a snapshot of 13 IPs: Eight of them are trying to pull this story and execute a command string:

    http://patrickpretty.com/2012/09/09/disturbing-profitclicking-thread-at-moneymakergroup-ponzi-forum-used-in-zeek-related-disinformation-campaign-that-delivers-traffic-to-troy-doolys-blog-while-creating-brand-confusion-and-opportu/

    The Florida IP was seeking to pull this story, while executing a command string that included a URL from a separate domain that doesn’t even appear to cover Ponzi/fraud schemes. (It appears to cover birds.) Equally curiously, the word “liens” appeared in the command string. So did the word “Mafia.”

    It MAY be a bid to drive traffic to a website that may or may not sell electronic games. That’s just a guess.

    Here’s the story the IP was trying to pull:

    http://patrickpretty.com/2010/03/26/inetglobal-accuses-former-ceo-of-extortion-bid-says-company-is-solvent-accuses-government-of-leaking-search-warrant-affidavit-to-press/

    I remember this story well. The government more or less was accused of leaking information, and the PP Blog more or less was accused of being the beneficiary of the leaks.

    The attacking IPs appear to be trying to scour sites for the presence of certain words. If those words appear, some kind of process takes place — loading URLs into a cannon, perhaps — and then commanding a mischief-making army to do its thing.

    The more this happens, the greater the odds that PP Blog readers will be denied access to stories that can help them make informed decisions and to keep tracking of developments in “programs” and Ponzi schemes.

    On a side note, The Salty Droid Blog appears to be experiencing another outage. My guess is that it’s a spambot wave or an equivalent traffic flood. The Salty Droid recently was down for a month or so.

    Patrick

  4. Quick note: Salty Droid now appears to be back online.

    Patrick